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CLOUDFLARE 


CLOUDFLARE DATA PROCESSING ADDENDUM 


Cloudflare, Inc. (“Cloudflare”) and the counterparty agreeing to these terms (“Customer”) have entered into an 
Enterprise Subscription Agreement, Self-Serve Subscription Agreement or other written or electronic agreement for 
the Services provided by Cloudflare (the “Main Agreement”). This Data Processing Addendum, including the 
appendices (the “DPA’’), forms part of the Main Agreement. 


This DPA will be effective, and will replace and supersede any previously applicable terms relating to their subject 
matter (including any data processing amendment, agreement or addendum relating to the Services), from the date 
on which Customer signed or the parties otherwise agreed to this DPA (“DPA Effective Date”). 


If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to 
bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of 
Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA. 


DATA PROCESSING TERMS 


This DPA applies where Cloudflare processes Personal Data as a Processor (or sub-Processor as applicable) on 
behalf of Customer to provide the Services and such Personal Data is subject to Applicable Data Protection Laws (as 
defined below). 


The parties have agreed to enter into this DPA in order to ensure that appropriate safeguards are in place to protect 
such Personal Data in accordance with Applicable Data Protection Laws. Accordingly, Cloudflare agrees to comply 
with the following provisions with respect to any Personal Data that it processes as a Processor (or sub-Processor as 
applicable) on behalf of Customer. 


1. Definitions 
1.1 The following definitions are used in this DPA: 


a) “Adequate Country” means a country or territory that is recognized under European Data Protection 
Laws as providing adequate protection for Personal Data. 


b) “Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is 
Controlled by, or is under Common Control with such party (but only for so long as such Control 
exists). 


c) “Applicable Data Protection Laws” means all laws and regulations that are applicable to the 
processing of Personal Data under the Main Agreement, including European Data Protection Laws and 
the United States Data Protection Laws. 


d) “Cloudflare Group” means Cloudflare and any of its Affiliates. 
e) “Controller” means an entity that determines the purposes and means of the processing of Personal 
Data, and includes “controller,” “business,” or analogous term as defined under the Applicable Data 


Protection Laws. 


f) “Customer Group” means Customer and any of its Affiliates. 
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g) 


h) 


)) 


k) 


D 


m) 


n) 


0) 


p) 


“EU SCCs” means the contractual clauses annexed to the European Commission's Implementing 
Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to 
third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. 


“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK-U.S. extension to 
the EU-U.S. Data Privacy Framework and the Swiss-US Data Privacy Framework as set forth by the 
U.S. Department of Commerce. 


“European Data Protection Laws” means all laws and regulations of the European Union, the 
European Economic Area, their member states, Switzerland, and the United Kingdom applicable to the 
processing of Personal Data under the Main Agreement (including, where applicable, (i) Regulation 
2016/679 of the European Parliament and of the Council on the protection of natural persons with 
regard to the Processing of Personal Data and on the free movement of such data (General Data 
Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by 
virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data 
Protection Act 2018 (the "UK GDPR"); (iii) the Swiss Federal Act on Data Protection of 1 September 
2023 and its corresponding ordinances (“Swiss FADP”); (iv) the EU e-Privacy Directive (Directive 
2002/58/EC); and (v) any and all applicable national data protection laws made under, pursuant to or 
that apply in conjunction with any of (i), (ii), (iii), (iv). 


“Personal Data” means all data which is defined as ‘personal data’, ‘personal information’, or 
‘personally identifiable information’ (or analogous term) under Applicable Data Protection Laws. 
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“processing”, “data subject”, and “supervisory authority” shall have the meanings ascribed to them 
in European Data Protection Law. 


“Processor” means an entity which processes Personal Data on behalf of the Controller, including an 
entity to which another entity discloses a natural individual’s personal information for a business 
purpose pursuant to a written contract that requires the entity receiving the information to only retain, 
use, or disclose Personal Data information for the purpose of providing the Services, and includes 
“processor,” “service provider,” or analogous term defined under the Applicable Data Protection Laws. 


“Services” shall refer to all of the cloud-based solutions offered, marketed or sold by Cloudflare or its 
authorized partners that are designed to increase the performance, security and availability of Internet 
properties, applications and networks, along with any software, software development kits and 
application programming interfaces (“APIs”) made available in connection with the foregoing. 


“Restricted Transfer” means: (i) where the EU GDPR or Swiss FADP applies, a transfer of Personal 
Data from the European Economic Area or Switzerland (as applicable) to a country outside of the 
European Economic Area or Switzerland (as applicable) which is not subject to an adequacy 
determination by the European Commission or Swiss Federal Data Protection and Information 
Commissioner (as applicable); and (ii) where the UK GDPR applies, a transfer of Personal Data from 
the United Kingdom to any other country which is not based on adequacy regulations pursuant to 
Section 17A of the United Kingdom Data Protection Act 2018. For the avoidance of doubt, a transfer 
of Personal Data to the United States pursuant to the Data Privacy Framework shall not be a Restricted 
Transfer. 


“UK Addendum” means the International Data Transfer Addendum (Version B1.0) issued by the 
Information Commissioner's Office under s.119(A) of the UK Data Protection Act 2018, as updated or 
amended from time to time. 


“United States Data Protection Laws” means all laws and regulations of the United States applicable 
to the processing of Personal Data under the Main Agreement, including (a) the California Consumer 
Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code § 


1.2 


1.3 


2.3 


2.4 


3.1 


1798.100 - 1798.199, 2022) and its implementing regulations (collectively, the “CCPA”), (b) the 
Virginia Consumer Data Protection Act, when effective, (c) the Colorado Privacy Act and its 
implementing regulations, when effective, (d) the Utah Consumer Privacy Act, when effective; and (e) 
Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring, when effective. 


An entity “Controls” another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or 
shareholder of it and has the right to remove a majority of its board of directors or equivalent managing 
body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other 
shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant 
influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are 
treated as being in “Common Control” if either controls the other (directly or indirectly) or both are 
controlled (directly or indirectly) by the same entity. 


For the purposes of this DPA, “to provide” or “providing” the Services means delivering the Services as 
defined in the Main Agreement; 


Status of the parties 


The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and 
purpose of the processing, and the categories of data subjects, are as described in Annex 1. 


Each party warrants in relation to Personal Data that it will comply with and provide the same level of 
privacy protection as required by the Applicable Data Protection Laws. As between the parties, the 
Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the 
means by which the Customer acquired Personal Data. 


In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties 
acknowledge and agree that the Customer is the Controller (or a Processor processing Personal Data on 
behalf of a third-party Controller), and Cloudflare is a Processor (or sub-Processor, as applicable). 


If Customer is a Processor, Customer warrants to Cloudflare that Customer’s instructions and actions with 
respect to the Personal Data, including its appointment of Cloudflare as another Processor and, where 
applicable, concluding the EU SCCs (including as they may be amended in clause 6.2 below), have been 
(and will, for the duration of this DPA, continue to be) authorized by the relevant third-party Controller. 


Cloudflare obligations 


With respect to all Personal Data it processes in its role as a Processor or sub-Processor, Cloudflare 
warrants that it shall: 


(a) only process Personal Data for the limited and specified business purpose of providing the 
Services and in accordance with: (i) the Customer's written instructions as set out in the Main 
Agreement and this DPA, unless required to do so by applicable Union or Member State law to 
which Cloudflare is subject, and (ii) the requirements of Applicable Data Protection Laws. In the 
event Cloudflare is required to process Personal Data under Applicable Data Protection Laws, 
Cloudflare shall inform the Customer of that legal requirement before processing, unless that law 
prohibits such information on important grounds of public interest; 


(b) not use the Personal Data for the purposes of marketing or advertising; 


(c) implement appropriate technical and organizational measures to ensure a level of security 
appropriate to the risks that are presented by the processing of Personal Data, in particular 
protection against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure 
of, or access to Personal Data. Such measures include, without limitation, the security measures 
set out in Annex 2 (“Security Measures”). Customer acknowledges that the Security Measures 
are subject to technical progress and development and that Cloudflare may update or modify the 


(d) 


(e) 


(f) 


(g) 


(h) 


(i) 


6) 


Security Measures from time to time, provided that such updates and modifications do not degrade 
or diminish the overall security of the Service; 


ensure that only authorized personnel have access to such Personal Data and that any persons 
whom it authorizes to have access to the Personal Data are under contractual or statutory 
obligations of confidentiality; 


without undue delay notify the Customer upon becoming aware of any breach of security leading 
to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, 
Personal Data transmitted, stored or otherwise processed for the purpose of providing the Services 
to Customer by Cloudflare, its sub-Processors, or any other identified or unidentified third party (a 
“Personal Data Breach”) and provide the Customer with reasonable cooperation and assistance 
in respect of that Personal Data Breach, including all reasonable information in Cloudflare’s 
possession concerning such Personal Data Breach insofar as it affects the Personal Data; 


not make any public announcement about a Personal Data Breach (a “Breach Notice”) without the 
prior written consent of the Customer, unless required by applicable law; 


to the extent Cloudflare is able to verify that a data subject is associated with the Customer, 
promptly notify the Customer if it receives a request from a data subject to exercise any data 
protection rights (including rights of access, rectification or erasure) in respect of that data 
subject’s Personal Data (a “Data Subject Request”). Cloudflare shall not respond to a Data 
Subject Request without the Customer’s prior written consent except to confirm that such request 
relates to the Customer, to which the Customer hereby agrees; 


to the extent Cloudflare is able, and in line with applicable law, provide reasonable assistance to 
Customer in responding to a data subject request to exercise any data protection rights under 
Applicable Data Protection Laws (including rights of access, rectification or erasure) in respect of 
that data subject’s Personal Data if the Customer does not have the ability to address a Data 
Subject Request without Cloudflare’s assistance. The Customer is responsible for verifying that 
the requestor is the data subject in respect of whose Personal Data the request is made. Cloudflare 
bears no responsibility for information provided in good faith to Customer in reliance on this 
subsection. Customer shall cover all costs incurred by Cloudflare in connection with its provision 
of such assistance; 


other than to the extent required to comply with applicable law, following termination or expiry of 
the Main Agreement or completion of the Service, at the choice of Customer, delete or return all 
Personal Data (including copies thereof) processed pursuant to this DPA; 


taking into account the nature of processing and the information available to Cloudflare, provide 
such assistance to the Customer as the Customer reasonably requests in relation to Cloudflare’s 
obligations under Applicable Data Protection Laws with respect to: 


(1) data protection impact assessments and prior consultations (as such terms are defined in 
Applicable Data Protection Laws); 


(11) notifications to the supervisory authority under Applicable Data Protection Laws and/or 
communications to data subjects by the Customer in response to any Personal Data 
Breach; and 

(iii) the Customer’s compliance with its obligations under Applicable Data Protection Laws 


with respect to the security of processing; 


provided that the Customer shall cover all costs incurred by Cloudflare in connection with its 
provision of such assistance; and 


3.2 


3.3 


4.2 


4.3 


4.4 


5. 


5.1 


(k) notify Customer if, in Cloudflare’s opinion, any instructions provided by the Customer under 
clause 3.1(a) infringe Applicable Data Protection Laws, or if Cloudflare otherwise makes a 
determination that it can no longer meet its obligations under Applicable Data Protection Laws 


To the extent that Cloudflare is processing Personal Data on behalf of the Customer within the scope of the 
CCPA, Cloudflare makes the following additional commitments to Customer: Cloudflare will not retain, 
use, or disclose that Personal Data for any purposes other than the purposes set out in the Main Agreement 
and this DPA and as permitted under the CCPA, including under any “sale” exemption. Cloudflare will not 
“sell” or “share” such Personal Data, as those terms are defined in the CCPA. This clause 3.2 does not limit 
or reduce any data protection commitments Cloudflare makes to Customer in the Main Agreement or this 
DPA. 


Cloudflare certifies that it understands and will comply with the obligations and restrictions in clauses 2 
and 3, and the Applicable Data Protection Laws. 


Sub-processing 


Cloudflare will disclose Personal Data to sub-Processors only for the specific purpose of providing the 
Services. 


Cloudflare will ensure that any sub-Processor it engages to provide an aspect of the Service on its behalf in 
connection with this DPA does so only on the basis of a written contract which imposes on such 
sub-Processor terms (i.e., data protection obligations) that are no less protective of Personal Data than those 
imposed on Cloudflare in this DPA (the “Relevant Terms”). Cloudflare shall procure the performance by 
such sub-Processor of the Relevant Terms and shall be liable to the Customer for any breach by such 
sub-Processor of any of the Relevant Terms. 


The Customer grants a general written authorization: (a) to Cloudflare to appoint other members of the 
Cloudflare Group as sub-Processors, and (b) to Cloudflare and other members of the Cloudflare Group to 
appoint third party data center operators, and business, engineering and customer support providers as 
sub-Processors to support the performance of the Service. 


Cloudflare will maintain a list of sub-Processors at https://www.cloudflare.com/gdpr/subprocessors/ and 


will add the names of new and replacement sub-Processors to the list at least thirty (30) days prior to the 
date on which those sub-Processors commence processing of Personal Data. If Customer objects to any 
new or replacement sub-Processor on reasonable grounds related to data protection, it shall notify 
Cloudflare of such objections in writing within ten (10) days of the notification and the parties will seek to 
resolve the matter in good faith. If Cloudflare is reasonably able to provide the Service to the Customer in 
accordance with the Main Agreement without using the sub-Processor and decides in its discretion to do so, 
then Customer will have no further rights under this clause 4.4 in respect of the proposed use of the 
sub-Processor. If Cloudflare, in its discretion, requires use of the sub-Processor and is unable to satisfy 
Customer’s objection regarding the proposed use of the new or replacement sub-Processor, then Customer 
may terminate the applicable Order Form effective upon the date Cloudflare begins use of such new or 
replacement sub-Processor solely with respect to the Service(s) that will use the proposed new 
sub-Processor for the processing of Personal Data. If Customer does not provide a timely objection to any 
new or replacement sub-Processor in accordance with this clause 4.4, Customer will be deemed to have 
consented to the sub-Processor and waived its right to object. 


Audit and records 


Cloudflare shall, in accordance with Applicable Data Protection Laws, make available to Customer such 
information in Cloudflare’s possession or control as Customer may reasonably request with a view to 
demonstrating Cloudflare’s compliance with the obligations of Processors under Applicable Data 
Protection Laws in relation to its processing of Personal Data. 


5.2 


533 


Cloudflare may fulfill Customer’s right of audit under Applicable Protection Laws in relation to Personal 
Data, by providing: 


(a) an audit report not older than thirteen (13) months, prepared by an independent external auditor 
demonstrating that Cloudflare’s technical and organizational measures are sufficient and in accordance 
with an accepted industry audit standard; 


(b) additional information in Cloudflare’s possession or control to a data protection supervisory authority 
when it requests or requires additional information in relation to the processing of Personal Data 
carried out by Cloudflare under this DPA; and 


(c) To the extent that Customer’s Personal Data is subject to the EU SCCs and the information made 
available pursuant to this clause 5.2 is insufficient, in Customer’s reasonable judgment, to confirm 
Cloudflare’s compliance with its obligations under this DPA or Applicable Data Protection Laws, then 
Cloudflare shall enable Customer to request one onsite audit per annual period during the Term (as 
defined in the Main Agreement) to verify Cloudflare’s compliance with its obligations under this DPA 
in accordance with clause 5.3. 


The following additional terms shall apply to audits the Customer requests: 


(a) Customer must send any requests for reviews of Cloudflare’s audit reports to 
customer-compliance@cloudflare.com. 


(b) Following receipt by Cloudflare of a request for audit under clause 5.2(c), Cloudflare and Customer 
will discuss and agree in advance on the reasonable start date, scope, duration of, and security and 
confidentiality controls applicable to any audit under clause 5.2(c). Whenever possible, evidence for 
such an audit will be limited to the evidence collected for Cloudflare’s most recent third-party audit. 


(c) Cloudflare may charge a fee (based on Cloudflare’s reasonable costs) for any audit under clause 5.2(c). 
Cloudflare will provide Customer with further details of any applicable fee, and the basis of its 
calculation, in advance of any such audit. Customer will be responsible for any fees charged by any 
auditor appointed by Customer to execute any such audit. 


(d) Cloudflare may object in writing to an auditor appointed by Customer to conduct any audit under 
clause 5.2(c) if the auditor is, in Cloudflare’s reasonable opinion, not suitably qualified or independent, 
a competitor of Cloudflare, or otherwise manifestly unsuitable (i.e., an auditor whose engagement may 
have a harmful impact on Cloudflare’s business comparable to the aforementioned aspects). Any such 
objection by Cloudflare will require Customer to appoint another auditor or conduct the audit itself. If 
the EU SCCs (including as they may be amended in clause 6.2 below) applies, nothing in this clause 
5.3 varies or modifies the EU SCCs nor affects any supervisory authority’s or data subject’s rights 
under the EU SCCs. 


6. Data transfers from the EEA, Switzerland, and the UK 


6.1 


6.2 


In connection with the Service, the parties anticipate that Cloudflare (and its sub-Processors) may process 
outside of the European Economic Area (“EEA”), Switzerland, and the United Kingdom, certain Personal 
Data protected by European Data Protection Laws in respect of which Customer or a member of the 
Customer Group may be a Controller (or Processor on behalf of a third-party Controller, as applicable). 


The parties agree that when the transfer of Personal Data protected by European Data Protection Laws from 
Customer or any member of the Customer Group to Cloudflare is a Restricted Transfer, then the 
appropriate standard contractual clauses and additional safeguards shall apply as follows: 


(a) EU Transfers: in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will 
apply, completed as follows: 


(b) 


(c) 


(i) 


(it) 


(iii) 


(iv) 
(v) 


(vi) 


(vii) 


(viii) 


Module Two will apply where Customer (or the relevant member of the Customer Group) 
is a Controller and Module Three will apply where Customer (or the relevant member of 
the Customer Group) is a Processor; 


in Clause 7, the optional docking clause will apply; 


in Clause 9, Option 2 will apply, and the time period for prior notice of sub-Processor 
changes shall be as set out in Clause 4.4 of this DPA; 


in Clause 11, the optional language will not apply; 


in Clause 17, Option 2 will apply, and if the data exporter’s Member State does not allow 
for third-party beneficiary rights, then the law of Germany shall apply; 


in Clause 18(b), disputes shall be resolved before the courts of the jurisdiction governing 
the Main Agreement between the parties or, if that jurisdiction is not an EU Member 
State, then the courts in Munich, Germany. In any event, Clause 17 and 18 (b) shall be 
consistent in that the choice of forum and jurisdiction shall fall on the country of the 
governing law; 


Annex I of the EU SCCs shall be deemed completed with the information set out in 
Annex | to this DPA; and 


Annex II of the EU SCCs shall be deemed completed with the information set out in 
Annex 2 to this DPA. 


UK Transfers: in relation to Personal Data that is protected by the UK GDPR, the EU SCCs, 
completed as set out above in clause 6.2(a) of this DPA, shall apply to transfers of such Personal 
Data, except that: 


(i) 


Gi) 


(iii) 


(iv) 


The EU SCCs shall be deemed amended as specified by the UK Addendum, which shall 
be deemed executed between the transferring Customer (or the relevant member of the 
Customer Group) and Cloudflare; 


Any conflict between the terms of the EU SCCs and the UK Addendum shall be resolved 
in accordance with Section 10 and Section 11 of the UK Addendum; 


For the purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall 
be deemed completed using the information contained in the Annexes of this DPA; and 


Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither 
party.” 


Swiss Transfers: in relation to Personal Data that is protected by the Swiss FADP (as amended or 
replaced), the EU SCCs, completed as set out about in clause 6.2(a) of this DPA, shall apply to 
transfers of such Personal Data, except that: 


(i) 


(it) 


(iii) 


the competent supervisory authority in respect of such Personal Data shall be the Swiss 
Federal Data Protection and Information Commissioner; 


in Clause 17, the governing law shall be the laws of Switzerland; 


references to “Member State(s)” in the EU SCCs shall be interpreted to refer to 
Switzerland, and data subjects located in Switzerland shall be entitled to exercise and 
enforce their rights under the EU SCCs in Switzerland; and 


6.3 


6.4 


6.5 


Gv) references to the “General Data Protection Regulation”, “Regulation 2016/679” or 
“GDPR” in the EU SCCs shall be understood to be references to the Swiss FADP (as 
amended or replaced). 


(d) The following terms shall apply to the EU SCCs (including as they may be amended under clauses 
6.2(b)(ii) and 6.2(b)(ii1) above): 


(i) Customer may exercise its right of audit under the EU SCCs as set out in, and subject to 
the requirements of, clause 5 of this DPA; and 


(ii) Cloudflare may appoint sub-Processors as set out in, and subject to the requirements of, 
clauses 4 and 6.3 of this DPA, and Customer may exercise its right to object to 
sub-Processors under the EU SCCs in the manner set out in clause 4.4 of this DPA. 


(e) In the event that any provision of this DPA contradicts, directly or indirectly, the EU SCCs (and 
the UK Addendum, as appropriate), the latter shall prevail. 


In respect of Restricted Transfers made to Cloudflare under clause 6.2, Cloudflare shall not participate in 
(nor permit any sub-Processor to participate in) any further Restricted Transfers of Personal Data (whether 
as an “exporter” or an “importer” of the Personal Data) unless such further Restricted Transfer is made in 
full compliance with Applicable Data Protection Laws and, if applicable, any EU SCCs and/or UK 
Addendum implemented between Customer and Cloudflare. 


Customer acknowledges that Cloudflare complies with the Data Privacy Framework and that transfers of 
Customer Data to Cloudflare made under the Data Privacy Framework shall not be a Restricted Transfer. 
Cloudflare will notify Customer if its Data Privacy Framework certification lapses or is otherwise 
invalidated, in which instance any transfers of Personal Data from Customer to Cloudflare shall 
immediately be deemed a Restricted Transfer and the provisions of Section 6.2 shall apply. 


In the event Customer seeks to conduct any assessment of the adequacy of Cloudflare’s transfers to any 
particular countries or regions, Cloudflare shall, to the extent it is able, provide reasonable assistance to 
Customer for the purpose of any such assessment, provided Customer shall cover all costs incurred by 
Cloudflare in connection with its provision of such assistance. 


7. Third Party Data Access Requests 


7.1 


7.2 


If Cloudflare becomes aware of any third party legal process requesting Personal Data that Cloudflare 
processes on behalf of Customer in its role as Processor or sub-Processor (as applicable) then Cloudflare 
will: 


(a) immediately notify Customer of the request unless such notification is legally prohibited; 


(b) inform the third party that it is a Processor or sub-Processor (as applicable) of the Personal Data 
and is not authorized to disclose the Personal Data without Customer’s consent; 


(c) disclose to the third party the minimum necessary Customer contact details to allow the third party 
to contact the Customer and instruct the third party to direct its data request to Customer; and 


(d) to the extent Cloudflare provides access to or discloses Personal Data in response to third party 
legal process either with Customer authorization or due to a mandatory legal compulsion, then 
Cloudflare will disclose the minimum amount of Personal Data to the extent it is legally required 
to do so and in accordance with the applicable legal process. 


In Cloudflare’s role as a Processor or sub-Processor, as applicable, it may be subject to third party legal 
process issued by a government authority (including a judicial authority) and requesting access to or 


7.3 


7.4 


7.5 


8. 


8.1 


8.2 


8.3 


disclosure of Personal Data. If Cloudflare becomes aware of any third party legal process issued by a 
government authority (including a judicial authority) requesting Personal Data that Cloudflare processes on 
behalf of Customer in its role as Processor or sub-Processor (as applicable) then, to the extent that 
Cloudflare reviews the request with reasonable efforts and as a result is able to identify that such third party 
legal process requesting Personal Data raises a conflict of law, Cloudflare will: 


(a) take all actions identified in clause 7.1 above; 
(b) pursue legal remedies prior to producing Personal Data up to an appellate court level; and 
(c) not disclose Personal Data until (and then only to the extent) required to do so under applicable 


procedural rules. 


Clauses 7.1 and 7.2 shall not apply in the event that Cloudflare has a good-faith belief the government 
request is necessary due to an emergency involving the danger of death or serious physical injury to an 
individual. In such event, Cloudflare shall notify Customer of the data disclosure as soon as possible 
following the disclosure and provide Customer with full details of the same, unless such disclosure is 
legally prohibited. 


Cloudflare will provide Customer with regular updates about third party legal process requesting Personal 
Data in the form of Cloudflare’s semiannual Transparency Report, which is available at 
https://www.cloudflare.com/transparency/. 


As of the date Customer entered into this DPA with Cloudflare, Cloudflare makes the commitments listed 
below. Cloudflare will update these commitments as may be required at 
https://www.cloudflare.com/transparency/: 


(a) Cloudflare has never turned over our encryption or authentication keys or our customers' 
encryption or authentication keys to anyone. 


(b) Cloudflare has never installed any law enforcement software or equipment anywhere on our 
network. 


(c) Cloudflare has never provided any law enforcement organization a feed of our customers' content 
transiting our network. 


(d) Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of 
law enforcement or another third party. 


General 


This DPA is without prejudice to the rights and obligations of the parties under the Main Agreement which 
shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and 
the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns 
the processing of Personal Data. 


Cloudflare’s liability under or in connection with this DPA, including under the EU SCCs, is subject to the 
exclusions and limitations on liability contained in the Main Agreement. In no event does Cloudflare limit 
or exclude its liability towards data subjects or competent data protection authorities. 


Except where and to the extent expressly provided in the EU SCCs or required as a matter of Applicable 
Data Protection Laws, this DPA does not confer any third-party beneficiary rights; it is intended for the 
benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the 
benefit of, nor may any provision hereof be enforced by, any other person. 


8.4 


8.5 


8.6 


This DPA and any action related thereto shall be governed by and construed in accordance with the laws as 
specified in the Main Agreement, without giving effect to any conflicts of laws principles. The parties 
consent to the personal jurisdiction of, and venue in, the courts specified in the Main Agreement. 


If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of 
the DPA will remain enforceable. Without limiting the generality of the foregoing, Customer agrees that 
clause 8.2 (Limitation of Liability) will remain in effect notwithstanding the unenforceability of any 
provision of this DPA. 


This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter 
hereof and supersedes and merges all prior discussions and agreements between the parties with respect to 
such subject matter. 
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Annex 1 


Data Processing Description 


This Annex 1 forms part of the DPA and describes the processing that Cloudflare will perform on behalf of 
Customer. 

A. LIST OF PARTIES 

Data exporter(s): Customer to complete the right-hand column. 


As stated in the Main Agreement 


Customer and any Customer Affiliates described in the Main 
Agreement. 


As stated in the Main Agreement 


As stated in the Main Agreement 


Use of the Service pursuant to the 
Main Agreement. 


Addresses of Customer and any Customer Affiliates described in the 
Main Agreement (or otherwise notified by Customer to Cloudflare) 


This Annex 1 shall be deemed 
executed upon execution of the 
DPA. 


Controller (or Processor on behalf 
of a third-party Controller). 


101 Townsend Street 
San Francisco, CA 94107 
USA 


Contact person’s name, position and contact details: Emily Hancock 
Data Protection Officer 
legal@cloudflare.com 


Activities relevant to the data transferred under this DPA and the EU | Processing necessary to provide the 
Service to Customer, pursuant to 
the Main Agreement. 


Signature and date: 


This Annex | shall be deemed 
executed upon execution of the 
DPA. 


a Role (controller/processor): Processor (or sub-Processor) 


B. DESCRIPTION OF DATA PROCESSING AND TRANSFER 


Categories of data subjects whose Personal Data is 
transferred: 


Categories of Personal Data transferred: 


Natural persons that (i) access or use Customer’s 
domains, networks, websites, application programming 
interfaces (“APIs”), and applications, or (ii) 
Customers’ employees, agents, or contractors who 
access or use the Services, such as Cloudflare Zero 
Trust end users, (together, “End Users”). 


Natural persons with login credentials for a Cloudflare 
account and/or those who administer any of the 
Services for a Customer (“Administrators”). 


In relation to End Users: 


e Any Personal Data processed in Customer 
Logs, such as IP addresses, and in the case of 
Cloudflare Zero Trust, Cloudflare Zero Trust 
end user names and email addresses. 
“Customer Logs” means any logs of End 
Users’ interactions with Customer’s Internet 
Properties and the Service that are made 
available to Customer via the Service 


dashboard or other online interface during the 
Term by Cloudflare. 


Any Personal Data processed in Customer 
Content, the extent of which is determined 
and controlled by the Customer in its sole 
discretion. “Customer Content” means any 
files, software, scripts, multimedia images, 
graphics, audio, video, text, data, or other 
objects originating or transmitted from or 
processed by any Internet Properties owned, 
controlled or operated by Customer or 
uploaded by Customer through the Service, 
and routed to, passed through, processed 
and/or cached on or within, Cloudflare’s 
network or otherwise transmitted or routed 
using the Service by Customer. 


In relation to Administrative Users: 
e Any Personal Data processed in 


Administrative User audit logs, such as IP 
addresses and email addresses. 


Sensitive data transferred (if applicable) and applied 
restrictions or safeguards that fully take into 
consideration the nature of the data and the risks 
involved, such as for instance strict purpose limitation, 
access restrictions (including access only for staff 
having followed specialized training), keeping a record 
of access to the data, restrictions for onward transfers 
or additional security measures: 


The frequency of the transfer (e.g. whether the data is 
transferred on a one-off or continuous basis): 


Nature of the processing: 


Purpose(s) of the data transfer and further processing: 


The period for which the Personal Data will be 
retained, or, if that is not possible, the criteria used to 
determine that period: 


For transfers to (sub-) Processors, also specify subject 
matter, nature and duration of the processing: 


Customer, its End Users, Administrators, and/or other 
partners may upload content to Customer's online 
properties which may include special categories of 
data, the extent of which is determined and controlled 
by the Customer in its sole discretion. 


Such special categories of data include, but may not be 
limited to, information revealing racial or ethnic 
origins, political opinions, religious or philosophical 
beliefs, trade-union membership, and the processing of 
data concerning an individual’s health or sex life. 


Any such special categories of data shall be protected 
by applying the security measures described in Annex 


Continuous for the duration of the Main Agreement. 


Processing necessary to provide the Services to 
Customer in accordance with the documented 
instructions provided in the Main Agreement and this 
DPA. 


Processing necessary to provide the Services to 
Customer in accordance with the documented 
instructions provided in the Main Agreement and this 
DPA. 


Until the earliest of (i) expiry/termination of the Main 
Agreement, or (ii) the date upon which processing is 
no longer necessary for the purposes of either party 
performing its obligations under the Main Agreement 
(to the extent applicable). 


The subject matter, nature and duration of the 
processing shall be as specified in the Main 
Agreement. 


C. COMPETENT SUPERVISORY AUTHORITY 


Identify the competent supervisory authority/ies in 
accordance (e.g. in accordance with Clause 13 of the 
EU SCCs) 


In respect of the EU SCCs, means the competent 
supervisory authority determined in accordance with 
Clause 13 of the EU SCCs. 


In respect of the UK Addendum, means the UK 
Information Commissioner's Office. 


Annex 2 


Technical an rganizational rity Measur 


Cloudflare has implemented and shall maintain an information security program in accordance with ISO/IEC 27000 
standards. Cloudflare’s security program shall include: 


Measures of encryption of Personal Data 


Cloudflare implements encryption to adequately protect Personal Data using: 
e@ state-of-the-art encryption protocols designed to provide effective protection against active and 
passive attacks with resources known to be available to public authorities; 
e trustworthy public-key certification authorities and infrastructure; 
e effective encryption algorithms and parameterization, such as a minimum of 128-bit key lengths 
for symmetric encryption, and at least 2048-bit RSA or 256-bit ECC key lengths for asymmetric 
algorithms. 


Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and 
services 


Cloudflare enhances the security of processing systems and services in production environments by: 
e employing a code review process to increase the security of the code used to provide the Services; 
and testing code and systems for vulnerabilities before and during use; 
@ maintaining an external bug bounty program; 
e using checks to validate the integrity of encrypted data, and 
e employing preventative and reactive intrusion detection. 


Cloudflare deploys high-availability systems across geographically-distributed data centers. 


Cloudflare implements input control measures to protect and maintain the confidentiality of Personal Data 
including: 
e an authorization policy for the input, reading, alteration and deletion of data; 
e authenticating authorized personnel using unique authentication credentials (passwords) and hard 
tokens; 
e automatically signing-out user IDs after a period of inactivity; 
e protecting the input of data, as well as the reading, alteration and deletion of stored data; and 
@ requiring that data processing facilities (the rooms housing the computer hardware and related 
equipment) are kept locked and secure. 


Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the 
event of a physical or technical incident 


Cloudflare implements measures to ensure that Personal Data is protected from accidental destruction or 
loss, including by maintaining: 

e  disaster-recovery and business continuity plans and procedures; 

e  geographically-distributed data centers; 

e redundant infrastructure, including power supplies and internet connectivity; 

e backups stored at alternative sites and available for restore in case of failure of primary systems; 

and 
e incident management procedures that are regularly tested. 


Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures 
in order to ensure the security of the processing 


Cloudflare’s technical and organizational measures are regularly tested and evaluated by external 
third-party auditors as part of Cloudflare’s Security & Privacy Compliance Program. These may include 
annual ISO/IEC 27001 audits; AICPA SOC 2 Type II; PCI DSS Level 1; and other external audits. 
Measures are also regularly tested by internal audits, as well as annual and targeted risk assessments. 


Measures for user identification and authorization 


Cloudflare implements effective measures for user authentication and privilege management by: 


applying a mandatory access control and authentication policy; 

applying a zero-trust model of identification and authorization; 

authenticating authorized personnel using unique authentication credentials and strong 
multi-factor authentication, including requiring the use of physical hard tokens; 

allocating and managing appropriate privileges according to role, approvals, and exception 
management; and 

applying the principle of least privilege access. 


Measures for the protection of data during transmission 


Cloudflare implements effective measures to protect Personal Data from being read, copied, altered or 
deleted by unauthorized parties during transmission, including by: 


using state-of-the-art transport encryption protocols designed to provide effective protection 
against active and passive attacks with resources known to be available to public authorities; 

using trustworthy public-key certification authorities and infrastructure; 

implementing protective measures against active and passive attacks on the sending and receiving 
systems providing transport encryption, such as adequate firewalls, mutual TLS encryption, API 
authentication, and encryption to protect the gateways and pipelines through which data travels, as 
well as testing for software vulnerabilities and possible backdoors; 

employing effective encryption algorithms and parameterization, such as a minimum of 128-bit 
key lengths for symmetric encryption, and at least 2048-bit RSA or 256-bit ECC key lengths for 
asymmetric algorithms; 

using correctly implemented and properly maintained software, covered under a vulnerability 
management program, and tested for conformity by auditing; 

enforcing secure measures to reliably generate, manage, store and protect encryption keys; and 
audit logging, monitoring, and tracking data transmissions. 


Measures for the protection of data during storage 


Cloudflare implements effective measures to protect Personal Data during storage, controlling and limiting 
access to data processing systems, and by: 


using state-of-the-art encryption protocols designed to provide effective protection against active 
and passive attacks with resources known to be available to public authorities; 

using trustworthy public-key certification authorities and infrastructure; 

testing systems storing data for software vulnerabilities and possible backdoors; 

employing effective encryption algorithms and parameterization, such as requiring all disks 
storing Personal Data to be encrypted with AES-XTS using a key length of 128-bits or longer. 
using correctly implemented and properly maintained software, covered under a vulnerability 
management program, and tested for conformity by auditing; 

enforcing secure measures to reliably generate, manage, store and protect encryption keys; 
identifying and authorizing systems and users with access to data processing systems; 
automatically signing-out users after a period of inactivity; and 

audit logging, monitoring, and tracking access to data processing and storage systems. 


Cloudflare implements access controls to specific areas of data processing systems to ensure only 
authorized users are able to access the Personal Data within the scope and to the extent covered by their 
respective access permission (authorization) and that Personal Data cannot be read, copied or modified or 
removed without authorization. This shall be accomplished by various measures including: 
e employee policies and training in respect of each employee’s access rights to the Personal Data; 
e applying a zero-trust model of user identification and authorization; 
e authenticating authorized personnel using unique authentication credentials and strong multi-factor 
authentication, including requiring the use of physical hard tokens; 
e monitoring actions of those authorized to delete, add or modify Personal Data; 
e release data only to authorized persons, including the allocation of differentiated access rights and 
roles; and 
e controlling access to data, with controlled and documented destruction of data. 


Measures for ensuring physical security of locations at which Personal Data are processed 


Cloudflare maintains and implements effective physical access control policies and measures in order to 
prevent unauthorized persons from gaining access to the data processing equipment (namely database and 
application servers, and related hardware) where the Personal Data are processed or used, including by: 
e establishing secure areas; 
e protecting and restricting access paths; 
e establishing access authorizations for employees and third parties, including the respective 
documentation; 
e all access to data centers where Personal Data are hosted are logged, monitored, and tracked; and 
e data centers where Personal Data are hosted are secured by security alarm systems, and other 
appropriate security measures. 


Measures for ensuring events logging 


Cloudflare has implemented a logging and monitoring program to log, monitor and track access to personal 
data, including by system administrators and to ensure data is processed in accordance with instructions 
received. This is accomplished by various measures, including: 
e authenticating authorized personnel using unique authentication credentials and strong multi-factor 
authentication, including requiring the use of physical hard tokens; 
applying a zero-trust model of user identification and authorization; 
maintaining updated lists of system administrators’ identification details; 
adopting measures to detect, assess, and respond to high-risk anomalies; 
keeping secure, accurate, and unmodified access logs to the processing infrastructure for twelve 
months; and 
e testing the logging configuration, monitoring system, alerting and incident response process at 
least once annually. 


Measures for ensuring system configuration, including default configuration 


Cloudflare maintains configuration baselines for all systems supporting the production data processing 
environment, including third-party systems. Configuration baselines should align with industry best 
practices such as the Center for Internet Security (CIS) Level 1 benchmarks. Automated mechanisms must 
be used to enforce baseline configurations on production systems, and to prevent unauthorized changes. 
Changes to baselines are limited to a small number of authorized Cloudflare personnel, and must follow 
change control processes. Changes must be auditable, and checked regularly to detect deviations from 
baseline configurations. 


Cloudflare configures baselines for the information system using the principle of least privilege. By default, 
access configurations are set to “deny-all,” and default passwords must be changed to meet Cloudflare’s 


policies prior to device installation on the Cloudflare network, or immediately after software or operating 
system installation. Systems are configured to synchronize system time clocks based on International 
Atomic Time or Coordinated Universal Time (UTC), and access to modify time data is restricted to 
authorized personnel. 


Measures for internal IT and IT security governance and management 


Cloudflare maintains internal policies on the acceptable use of IT systems and general information security. 
Cloudflare requires all employees to undertake general security and privacy awareness training at least 
every year. Cloudflare restricts and protects the processing of Personal Data, and has documented and 
implemented: 

e a formal Information Security Management System (ISMS) in order to protect the confidentiality, 
integrity, authenticity, and availability of Cloudflare’s data and information systems, and to ensure 
the effectiveness of security controls over data and information systems that support operations; 
and 

e a formal Privacy Information Management System (PIMS) in order to protect the confidentiality, 
integrity, authenticity, and availability of the policies and procedures supporting Cloudflare’s 
global managed network, as both a processor and a controller of customer information. 


Cloudflare will keep documentation of technical and organizational measures in case of audits and for the 
conservation of evidence. Cloudflare shall take reasonable steps to ensure that persons employed by it, and 
other persons at the place of work concerned, are aware of and comply with the technical and 
organizational measures set forth in this Annex 2. 


Measures for certification/assurance of processes and products 


The implementation of Cloudflare’s ISMS and related security risk management processes have been 
externally certified to the industry-standard ISO/IEC 27001. The implementation of Cloudflare’s 
comprehensive PIMS has been externally certified to the industry-standard ISO/IEC 27701, as both a 
processor and controller of customer information. 


Cloudflare maintains PCI DSS Level 1 compliance for which Cloudflare is audited annually by a 
third-party Qualified Security Assessor. Cloudflare has undertaken other certifications such as the AICPA 
SOC 2 Type II certification in accordance with the AICPA Trust Service Criteria, and details of these and 
other certifications that Cloudflare may undertake from time to time will be made available on Cloudflare’s 
website. 


For transfers to (sub-) Processors, also describe the specific technical and organizational measures to be taken by 
the (sub-) Processor to be able to provide assistance to the controller (and, for transfers from a Processor to a 
sub-Processor, to the data exporter). 


Measure Description 


Self-service access to meet data subject rights of Ability to login to review and edit Personal Data via 
access, erasure, rectification etc. the Cloudflare dashboard. 


